RSA Break-In Leaves SecurID Users Sweating Bullets

By Richard Adhikari
Mar 18, 2011 12:20 PM PT

Hackers have broken into and stolen information from RSA's systems, a move that may have seriously reduced the security firm's street cred.

RSA is the sponsor of a major security conference bearing its name. The gathering attracts the creme de la creme of the IT industry as well as government bigwigs such as United States Deputy Secretary of Defense William Lynn III and former U.S. Secretary of Homeland Security Michael Chertoff.

The company has been promoting its two-factor authentication feature, SecurID, as a secure solution.

"Two-factor authentication is typically used to protect higher-sensitivity access or assets, and SecurID is a popular two-factor authentication product," Scott Crawford, a research director at Enterprise Management Associates (EMA), told TechNewsWorld.

The attackers apparently managed to steal some information about SecurID products. That may open the door to attacks on other organizations that use SecurID to protect themselves.

Describing the attack as "extremely sophisticated" in an open letter to customers, RSA chairman Art Coviello warned that the information stolen could be used to reduce the effectiveness of their two-factor authentication implementations as the prelude to a broader attack.

In the wake of the attack, RSA has made a number of recommendations to SecureCare Online customers.

RSA's Statements on the Attack

The note indicates that RSA has responded to the attack by further hardening its IT infrastructure. It's investigating the attack and working closely with the appropriate authorities.

Some of the information stolen from RSA's systems is related to SecurID products, RSA said. Although that information doesn't enable a successful attack on SecurID customers, it could be used to weaken two-factor protection as part of a broader attack, RSA warned.

The hackers' objective could be to find ways to gain access to assets and resources protected by SecurID, such as administrative access to sensitive IT systems, EMA's Crawford suggested.

APT is the current buzzword in the security industry, and refers to a constant series of attacks using sophisticated techniques that are often modified to get around the improvements that targets make to their security infrastructures.

What SecurID Customers Should Do

First off, SecurID customers should increase security for social media applications and the use of those applications and websites by anyone with access to their critical networks, RSA said. In other words, control employees' access to social media over the corporate network.

"It's possible that the attack started with a social engineering attack such as a targeted Trojan using some sort of zero-day, and likely embedded in a document rather than as a naked executable," David Harley, a senior research fellow at ESET, suggested.

RSA's advisory to SecureCare customers seems to indicate that social engineering was the vector of this attack, Crawford surmised. Organizations have to think more seriously about how social network activity can or should be controlled or isolated from business activity, he added.

SecurID customers should also enforce strong password and PIN number policies, strongly control privileges accorded to security administrators, focus on security around their active directories, and harden and update their security products and operating systems with the latest patches.

In addition, SecurID customers should closely monitor and limit remote and physical access to critical security software servers and watch closely for changes in user privilege levels and access rights.

"It appears that RSA is recommending their customers and partners use the same monitoring technology that they are using to stop similar types of attacks," Steve Shillingford, president and CEO of Solera Networks, told TechNewsWorld.

APTs and the Threat Scenario

Whether or not the so-called APT actually used advanced techniques is open to doubt.

"The term 'APT' can be deceptive, since an 'advanced' attack may use sadly well-proven techniques such as social engineering to gain an advantage, even if more sophisticated tactics include purpose-built malware requiring highly specific knowledge of the target," EMA's Crawford pointed out.

"Given the kind of work RSA does, it's likely that the ultimate aim is an attack on other entities, perhaps even critical national infrastructure, rather than a direct attack on the company and its intellectual property," Harley told TechNewsWorld.

Was RSA Lax?

The attack on RSA shows how important it is for security vendors to further tighten their own security, Crawford remarked.

So, was RSA perhaps not as gung-ho about its own security as it should have been? Could it have fallen down on the job?

"All security vendors are targets," Randy Abrams, director of technical education at ESET, told TechNewsWorld. The attackers have significant advantages in terms of being able to watch and not be detected. They can wait and slowly glean information. They can choose when and how they attack," he added.

"Such an attack could be successful against virtually any organization in possession of assets seen as sufficiently valuable by a dedicated adversary," EMA's Crawford said.

In other words, no one's safe. So, how can companies harden security further to keep the security vandals out, as RSA has suggested its customers do?

"Active and continuous monitoring is the answer," Solera's Shillingford suggested. "It's not about building higher walls; it's about having a more aggressive security posture and complete situational awareness on the network."